1. Working Group 6: Secure BGP Deployment March 22, 2012 Andy Ogielski, Renesys Jennifer Rexford, Princeton U. WG 6 Co-Chairs

2. 2 WG 6: Mission Statement  Short description: The Border Gateway Protocol (BGP) controls inter-domain packet traffic routing on the entire global Internet. BGP relies on trust among operators of gateway routers to ensure the integrity of the Internet routing infrastructure. Over the years, this trust has been compromised on a number of occasions, both accidentally and maliciously, revealing fundamental weaknesses of this critical infrastructure. This Working Group will recommend the framework for industry regarding incremental adoption of secure routing procedures and protocols based on existing work in industry and research. The framework will include specific technical procedures and protocols. The framework will be proposed in a way suitable for opt-in by large Internet Service Providers (ISPs) in order to create incentives for a wider scale, incremental ISP deployment of secure BGP protocols and practices in a market-driven, cost-effective manner.  Duration: August 2011 – March 2013

3. WG 6 – Participants Participant list updated 2012/03/08 Andy Ogielski, Renesys, Co-Chair Jennifer Rexford, Princeton, Co-Chair Shane Amante, Level 3Danny McPherson, Verisign Daniel Awduche, VerizonDoug Maughan, DHS S&T Ron Bonica, JuniperDoug Montgomery, NIST Jay Borkenhagen, AT&TChristopher Morrow, Google Martin Dolly, ATIS/AT&TSandra Murphy, SPARTA Andy Ellis, AkamaiMary Retka, Century Link Sharon Goldberg, Boston U.Isil Sebuktekin, Telcordia Adam Golodner, CiscoTed Seely, Sprint Kyle Hambright, Las Vegas Metro PoliceGreg Sharp, Internet Identity Lars Harvey, Internet IdentityTony Tauber, Comcast Michael Kelsen, Time Warner CableDavid Ward, Cisco Ed Kern, CiscoWilliam Wells, TeleCommunication Syst. Eric Lent, Comcast

4. WG 6 – Problem Statement  Interdomain routing is fundamental for operation of the Internet (the “Inter” in Internet)  BGP protocol is simple  BGP router may relay messages to neighbors about routes  Every route is constructed hop-by-hop, with NO global authority  BGP policy is complex  Networks apply local policies for accepting & propagating routes  This is good: Great flexibility to support networking business, availability, robustness and disaster recovery  This is bad: Vulnerability to propagating false routes that were maliciously or inadvertently generated 4

5. WG 6 – Problem Statement Cont’d How to secure such a system?  BGP was built on trust that routes received are legitimate  Trust but Verify! All BGP security solutions offer some form of validation of routes  First do no harm! Any tinkering with BGP must avoid damaging reachability of end users, or compromising scalability  Since the many Internet’s constituent networks have different objectives and business concerns, any viable security solution must preserve the local autonomy of Network Operators 5

6. WG 6 - Methodology  Document known threats  Real BGP security incidents, and known vulnerabilities  Identify a suite of BGP security solutions  Current best common practices  Origin certification  Cryptographic path validation  Identify dimensions for comparing solutions  Technical maturity, and cost to deploy and operate  Trust models and governance  Security benefits, residual threats and new attack surfaces  Feasibility of incremental deployment  Impact on autonomy of network operators and nations  Derive preliminary recommendations 6

7. WG 6 – Initial recommendations  Ground truth through resource registration and certification  Network Operators should ensure their Internet Routing Registry records are public, complete, and up-to-date  Network Operators should encourage the American Registry for Internet Numbers (ARIN) to deliver a hosted Resource Public Key Infrastructure (RPKI) service  Network Operators should encourage a single global “root of trust” for the RPKI 7

8. WG 6 – Initial recommendations  Phased deployment of techniques to detect and prevent route hijackings  Network Operators should track the developments in the BGP security community  Network Operators should consider phased deployment strategies for using certified routing data in ways that are consistent with their own internal policies  The BGP security community should investigate new risks introduced by resource certification 8

9. WG 6 – Initial recommendations  Apply metrics for continuous evaluation of security solutions  The BGP security community should evaluate existing BGP security metrics, and extend them where necessary  The BGP security community should perform continuous monitoring and analysis of BGP security incidents 9

10. WG 6 – Ongoing Work for Future Reports  Evaluation of risks associated with deployment and use of a hierarchical resource certification system for Internet network addresses and their bindings.  Recommendations for security metrics and measurement methodologies for calibrating the current levels of BGP security incidents and evaluating effectiveness of proposed solutions.  Editorial improvements: Glossary of technical terms and concepts. 10

11. WG 6 – Conclusions  There is consensus among WG 6 members that Internet number resource allocation, trustworthy certification, operational procedures and related externalities have very considerable implications for security  While unanimity in recommendations was an objective from the outset, each of the views expressed herein is not necessarily shared by all WG 6 members  We note that the recommendations are strictly advisory in nature  We will keep refining the recommendations and continue to explore ways to improve the security of inter-domain routing 11